Strange access log patterns

Forum Moderators: phranque

Message Too Old, No Replies

Strange access log patterns

Requests broken over multiple IPs

UserFriendly

4:36 pm on Nov 8, 2006 (gmt 0)

Can anyone tell me what is going on when a request seems to be split across two or more IP addresses?

For instance, my logs seem to suggest that one IP address is used to request the HTML page, CSS and some images, then a second, very close IP address is used to request the remaining images for the page.

Why would someone want to split up their requests across IPs on the same network like this?

jtara

7:54 pm on Nov 8, 2006 (gmt 0)

I can give you an example of a very legitimate reason for this, although it is probably quite rare.

Netscreen firewalls (and, presumably other brands, as well) have a feature that will randomly spread NATed traffic over multiple IP addresses on the untrust interface. This is meant as a security measure. (Making the browser less uniquely-identifiable.)

A router or firewall might also be set-up to spread traffic over multiple interfaces. (e.g. multiple internet connections). This would typically be done for load-balancing, though it would also more-effectively accomplish the security goal above.

Similar techniques might also be used to provide greater bandwidth by using multiple low-speed connections where high-speed connections are not available.

encyclo

7:57 pm on Nov 8, 2006 (gmt 0)

This is very common with connections from AOL - you can get a different IP address for each object on the page. It's just the way that AOL have set up their network.

SteveWh

6:36 am on Nov 9, 2006 (gmt 0)

I see that a lot with AOL. I believe that phenomenon is the "optimized" part of "AOL Optimized, 9x Faster!" (or whatever their slogan is) and some other "optimized" services. When I first saw it, I came up with a plausible explanation why distributing the requests among multiple IPs making parallel requests might somehow speed things up, but thinking about it tonight, I'm unable to remember or reconstruct it and have doubts it could make anything work faster. It won't make your server service the incoming requests any faster, so if it does anything, it would have to be at AOL's end.

tedster

7:46 am on Nov 9, 2006 (gmt 0)

AOL's been doing things this way for many years -- going way back into the last century, I believe. Other ISPs also from time to time, but AOL is obviously the most prominent. I've seen 7 IP addresses for one AOL user accessing one page.

They do it to drive log analyzer's batty, I think.

Romeo

2:14 pm on Nov 9, 2006 (gmt 0)

They do it to drive log analyzer's batty, I think.

... or it may be a technical side effect of running a loadbalanced farm of parallel proxy servers for their many customers they have. Have seen this with some other large entities, too, where just one single proxy won't be sufficient -- due to traffic volume and/or for failover/redundancy reasons.

Kind regards,
R.